Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Upcoming SlideShare
What to Upload to SlideShare
What to Upload to SlideShare
Loading in …3
1 of 18

GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701



Download to read offline

Based on online data, GDPR fines increased by 40% in 2020, compared to the previous years since the law came into force, and they are expected to increase even more in the upcoming years.

In this light, organizations are facing challenges when it comes to compliance with the increased number of data privacy laws and regulations worldwide.

The webinar covers
• ISO/IEC 27701 standard and its requirements
• GDPR requirements and principles mapped against ISO/IEC 27701
• An overview of CCPA requirements
• Upcoming US privacy laws

Find out more about ISO training and certification services




For more information about PECB:

YouTube video:
Website link:

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701

  1. 1. Agenda 1. Introduction to the speakers - Toks Oyegunle & Samuel Plantie 2. Introduction to the standard - ISO/IEC 27701 3. A Privacy Management Maturity Map 4. The benefits of Implementing a PIMS 5. The Structure of ISO/IEC 27701 6. ISO/IEC 27701, the GDPR and US Regulations – A few basics 7. High level GDPR provisions 8. GDPR, US laws and ISO 27701: similarities and differences 9. Questions & Answers
  2. 2. • Privacy and Cybersecurity Management Specialist • 27 years experience in IT, Project Management Privacy and Cybersecurity in multiple industries • Principal Consultant, Coach and NED • Helped companies resolve many challenges, including GDPR Compliance and ISO/IEC 27701 implementation, audits and training • Multiple Certifications across Privacy and Security • Studied Computing (BSc); Business Systems Analysis and Design (MSc); Harvard Business School Alumnus Toks Oyegunle – An Introduction
  3. 3. • Privacy Counsel at Outbrain • Data Protection Expert and an IP/IT Lawyer with over 6 years of experience • Focus on consumer and competition law issues in the digital market, AI, data ethics, the articulation of blockchain technology with data protection and digital advertising • PhD in Law, CIPP/E, CIPM, and Fellow in Privacy Samuel Plantié – An Introduction
  4. 4. Security techniques – Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management – Requirements and guidelines • Specification for a Privacy Information Management System (PIMS) • A globally recognised International Standard from the ISO • Information Security Based: An extension to ISO/IEC 27001 (ISMS) • Regulation agnostic - applicable to all global data protection regulations • May be aligned with or certified against • Can be independently audited • Clients are increasingly asking for ISO/IEC certification as condition precedent Introduction to ISO/IEC 27701 - The Privacy Management Standard
  5. 5. A Privacy Management Maturity Map
  6. 6. 1. Adopts a risk based approach to data protection management 2. Creates increased structure for data protection activities and management 3. Builds trust in the perceived ability to manage personal data for all stakeholders 4. Supports compliance with the GDPR and all other privacy regulations 5. Facilitates continuous improvement to adapt to internal and external changes 6. Embeds personal data management into the organisations culture 7. Provides increased independent assurance via Audits, Certification, Reputation to all stakeholders The Benefits of Implementing a PIMS
  7. 7. 1. Scope 2. Normative references 3. Terms and definitions 4. General 5. PIMS-specific requirements related to ISO/IEC 27001 6. PIMS-specific guidance related to ISO/IEC 27002 7. Additional ISO/IEC 27002 guidance for PII controllers 8. Additional ISO/IEC 27002 guidance for PII processors The structure of ISO/IEC 27701
  8. 8. 1. Annex A: PIMS specific reference control objectives and controls (PII Controllers) 2. Annex B: PIMS specific reference control objectives and controls (PII Processors) 3. Annex C: Mapping to ISO/IEC 29100 (Guidance for defining a Privacy Framework) 4. Annex D: Mapping to General Data Protection Regulation (GDPR) 5. Annex E: Mapping to ISO/IEC 27018 (PII Processors providing cloud services) and ISO/IEC 29151 (Guidance and controls for PII controllers) 6. Annex F: How to apply ISO/IEC 27701 to ISO/IEC 27001 and ISO/IEC 27002 The Structure of ISO/IEC 27701
  9. 9. ISO 27701, the GDPR and US regulations Samuel Plantie
  10. 10. • General Data Protection Regulation (GDPR): a law effective since May 2018 on data protection and privacy containing requirements related to the processing of personal data of individuals located in the EU (and the UK) regardless of the location of the data controller • California Consumer Privacy Act (CCPA): a law effective since January 2020 to enhance privacy rights and consumer protection for residents in California. It will be supplemented by the Consumer Privacy Rights Act (CPRA) enforced from July 2023 A Few Basics: The Different Laws
  11. 11. • Virginia Consumer Data Protection Act effective in January 2023 • Colorado Privacy Act effective July 2023 • Ohio bill: would require to have a NIST-compliant privacy program A Few Basics: The Different Laws
  12. 12. • Although the GDPR provides for codes of conduct and certifications, no general tool has been approved to this date (sector specific: cloud services, cloud infrastructure service providers, or for DPOs) • NIST Privacy Framework: a voluntary tool to help organisations identify, assess and mitigate privacy risks for their privacy programme (not a certification) • ISO/IEC 27701: an extension to the ISO 27001 standard (information security management system) to cover personal data processing (not a GDPR certification) A Few Basics: Certifications and Codes of Conduct
  13. 13. • Material and territorial scope, definitions and principles, purpose, legal basis, consent, children’s data, special categories of data • Data Subject Rights (information, access, rectification, erasure, restriction, data portability, object, automated decision-making) • Controller, joint controllers and processors obligations High Level GDPR Provisions
  14. 14. • Records of processing activities, security measures (high level), personal data breach notification, privacy by design and by default (DPIA), mandatory designation of a DPO • International transfers • Regulatory provisions, enforcement, EDPB, one-stop shop High Level GDPR Provisions
  15. 15. • GDPR and ISO 27701 overlap in many areas. Most controls required for ISO 27701 enter into accountability requirements under the GDPR • Same with CCPA and CPRA, Virginia Consumer Data Protection Act and Colorado Privacy Act: many obligations under these laws are captured by the controls of ISO 27701 GDPR, US Laws and ISO 27701: Similarities
  16. 16. • Definitions of personal data and personally identifiable information: GDPR is broader • ISO 27701 is a list of controls: ticking the control does not mean it is compliant (e.g., data retention too long, unlawful purpose), it only helps demonstrate your accountability and a standard to audit against • Threshold and scope in US laws: only in private sector and with a minimum revenue or volume of data processed. Only applicable to consumers (CPRA applicable to employees) GDPR, US Laws, and ISO 27701: Differences
  17. 17. THANK YOU ? Toks K. Oyegunle Samuel Plantie